diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..73992aa --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,31 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: "/" + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: Etc/UTC + open-pull-requests-limit: 5 + groups: + gomod-security: + applies-to: security-updates + patterns: + - "*" + gomod-minor-patch: + applies-to: version-updates + update-types: + - minor + - patch + + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 3 + groups: + actions: + patterns: + - "*" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..c63ca5e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,48 @@ +name: CodeQL + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '17 6 * * 1' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (Go) + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout this repo + uses: actions/checkout@v4 + with: + path: api + - name: Checkout sibling InstaNode-dev/common + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/common + path: common + - name: Checkout sibling InstaNode-dev/proto + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/proto + path: proto + - uses: actions/setup-go@v5 + with: + go-version-file: api/go.mod + - uses: github/codeql-action/init@v3 + with: + languages: go + queries: security-extended + - name: Build + working-directory: api + run: go build ./... + - uses: github/codeql-action/analyze@v3 + with: + category: "/language:go" diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000..02073b3 --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,39 @@ +name: govulncheck + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '0 6 * * *' + +permissions: + contents: read + +jobs: + govulncheck: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout this repo + uses: actions/checkout@v4 + with: + path: api + - name: Checkout sibling InstaNode-dev/common + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/common + path: common + - name: Checkout sibling InstaNode-dev/proto + uses: actions/checkout@v4 + with: + repository: InstaNode-dev/proto + path: proto + - uses: actions/setup-go@v5 + with: + go-version-file: api/go.mod + check-latest: true + - run: go install golang.org/x/vuln/cmd/govulncheck@latest + - working-directory: api + run: govulncheck ./... diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..89d7540 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,22 @@ +name: OSV-Scanner + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '0 6 * * *' + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.1 + permissions: + actions: read + contents: read + security-events: write diff --git a/go.mod b/go.mod index f447663..0cd368c 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module instant.dev go 1.25.0 +toolchain go1.25.10 + require ( github.com/DATA-DOG/go-sqlmock v1.5.2 github.com/alicebob/miniredis/v2 v2.37.0